Home   >   CSC-OpenAccess Library   >    Manuscript Information
Adversarial Attacks and Defenses in Intrusion Detection Systems: A Survey
Ilja Moisejevs
Pages - 44 - 62     |    Revised - 31-08-2019     |    Published - 01-10-2019
Volume - 8   Issue - 3    |    Publication Date - October 2019  Table of Contents
Machine Learning, Intrusion Detection Systems, Adversarial Attacks, Evasion Attacks, Poisoning Attacks.
The world is becoming more digitized and inter-connected by the day and securing our digital infrastructure is not a topic we can take lightly anymore. Intrusion detection systems (IDSs) have been an integral part of the cybersecurity stack ever since their introduction in the 1980s. Traditionally such systems have relied on signatures and heuristics, however, recently growing demand for scalability, advances in computational power, and increasing dataset availability, have paved the way for machine learning approaches.

The challenge is that even though machine learning can do a better job at detecting intrusions in normal conditions - it itself is left vulnerable to adaptive adversaries who understand how these systems work and "think". In this survey we review the different kinds of attacks such an adversary can mount on IDSs, and perhaps more importantly, the various defenses available for making IDSs more robust. We start by proving some historic context on the matter and introducing the basic taxonomy of adversarial machine learning, before diving into the methods, attacks and defenses in the second part of the write-up.
1 Google Scholar 
2 refSeek 
3 BibSonomy 
4 Scribd 
5 SlideShare 
"Artificial Intelligence for Smarter Cybersecurity." Internet: https://www.ibm.com/security/artificial-intelligence, nd [Jul. 24, 2019].
"Big Data Analytics for Advanced Security." Internet: https://logrhythm.com/solutions/security/security-analytics/, nd [Jul. 24, 2019].
"Cognito Detect is the most powerful way to find and stop cyberattackers in real time." Internet: https://content.vectra.ai/rs/748-MCE- 447/images/ProductCompanyOverview_2019_Cognito_Detect_AIpowered_attacker_detect ion_English.pdf, nd [Jul. 24, 2019].
"CrowdStrike Introduces Enhanced Endpoint Machine Learning Capabilities and Advanced Endpoint Protection Modules." Internet: https://www.crowdstrike.com/resources/news/crowdstrike-introduces-enhanced-endpoint-machine-learning-capabilities-and-advanced-endpoint-protection-modules/, Feb. 13, 2017 [Jul. 24, 2019].
"GuardDuty Intelligent Threat Detection AWS." Internet: https://aws.amazon.com/guardduty/, 2018 [Jul. 24, 2019].
"How does Symantec Endpoint Protection use advanced machine learning?" Internet: https://support.symantec.com/us/en/article.howto125816.html, Apr. 24, 2019 [Jul. 24, 2019].
"KDD Cup 1999 Data." Internet: http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html, Oct. 28, 1999 [Jul. 29, 2019].
"Machine Learning Analytics app." Internet: https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.2.8/com.ibm.UBAapp.doc/c_ Qapps_UBA_ML_intro.html, nd [Jul. 24, 2019].
"RSA NetWitness UEBA." Internet: https://www.rsa.com/content/dam/en/data-sheet/rsa- netwitness-ueba.pdf, 2018 [Jul. 24, 2019].
"SIEM - Security Information and Event Management." Internet: https://www.splunk.com/en_us/cyber-security/siem-security-information-and-event- management.html, nd [Jul. 24, 2019].
"Use Cases: Demisto's Top Machine Learning Use Cases - Part 1." Internet: https://blog.demisto.com/demistos-top-machine-learning-use- cases-part-1, Feb. 20, 2018 [Jul. 24, 2019].
A. Chakraborty, M. Alam, V. Dey, A. Chattopadhyay and D. Mukhopadhyay. (2018, Sep.). "Adversarial Attacks and Defences: A Survey." arXiv Preprint - arXiv:1810.00069. [On-line]. Available: https://arxiv.org/abs/1810.00069 [Jul. 24, 2019].
A. Kurakin, I.J. Goodfellow and S. Bengio. "Adversarial Machine Learning at Scale," in Proc. ICLR 2017 - 5th International Conference on Learning Representations, 2017.
A. Madry, A. Makelov, L. Schmidt, D. Tsipras and A. Vladu. "Towards Deep Learning Models Resistant to Adversarial Attacks," in Proc. International Conference on Learning Representations (ICLR) 2018, 2018.
A. Pyrgelis, C. Troncoso and E. De Cristofaro. "Knock Knock, Who's There? Membership Inference on Aggregate Location Data," in Proc. NDSS 2018 - 25th Network and Distributed System Security Symposium, 2018.
A. Summers and C. Tickner. "Introduction to security analysis." Internet: https://www.doc.ic.ac.uk/~ajs300/security/index.html, nd. [Jul. 24, 2019].
B. Biggio, B. Nelson and P. Laskov. (2013, Mar.). "Poisoning Attacks against Support Vector Machines." arXiv Preprint - arXiv:1206.6389. [On-line]. Available: https://arxiv.org/abs/1206.6389 [Jul. 24, 2019].
B. Biggio, G. Fumera and F. Roli. "Security Evaluation of Pattern Classifiers under Attack." IEEE Transactions on Knowledge and Data Engineering, vol. 26(4), pp. 984-96, 2014.
B. Biggio, K. Rieck, D. Ariu, C. Wressnegger, I. Corona, G. Giacinto and F. Roli. "Poisoning Behavioral Malware Clustering," in Proc. AISec'14 - Workshop on Artificial Intelligent and Security Workshop, 2014, pp. 27-36.
B. Nelson and A.D. Joseph. "Bounding an Attack's Complexity for a Simple Learning Model." Internet: https://pdfs.semanticscholar.org/71d8/678edf41803a6c0827dc05f9906afb61 e454.pdf?_ga= 2.256875340.655035103.1568508389-933039622.1562710349, 2006 [Jul. 24, 2019].
B. Nelson, M. Barreno, F.J. Chi, A.D. Joseph, B.I.P. Rubinstein, U. Saini, C. Sutton, J.D. Tygar and K. Xia. "Exploiting Machine Learning to Subvert Your Spam Filter," in Proc. LEET'08 - 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats, 2008.
B. Nelson, M. Barreno, F.J. Chi, A.D. Joseph, B.I.P. Rubinstein, U. Saini, C. Sutton, J.D. Tygar and K. Xia. "Misleading Learners: Co-opting Your Spam Filter," in Machine Learning in Cyber Trust. Boston: Springer, 2009, pp. 17-51.
B.I.P. Rubinstein, B. Nelson, L. Huang, A.D. Joseph, S. Lau, S. Rao, N. Taft and J.D. Tygar. "ANTIDOTE: understanding and defending against poisoning of anomaly detectors," in Proc. IMC'09 - 9th ACM SIGCOMM conference on Internet Measurement, 2009, pp. 1-14.
C. Croux, P. Filzmoser and M.R. Oliveira. "Algorithms for Projection-Pursuit Robust Principal Component Analysis." Chemometrics and Intelligent Laboratory Systems, vol. 87(2), pp. 218-25, 2007.
C. Huang, T. Lee, L. Chang, J. Lin and G. Horng. "Adversarial Attacks on SDN-Based Deep Learning IDS System," in Proc. ICMWT 2018: Mobile and Wireless Technology 2018, 2018, pp. 181-91.
C. Kruegel, D. Mutz, F. Valeur and G. Vigna. "On the Detection of Anomalous System Call Arguments," in Proc. Computer Security - ESORICS 2003, 2003, pp. 326-43.
C. Song and V. Shmatikov. "Auditing Data Provenance in Text- Generation Models," in Proc. KDD'19 - 25th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining, 2019, pp. 196-206.
C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Erhan, I. Goodfellow and R. Fergus. (2013, Dec.). "Intriguing properties of neural networks." arXiv Preprint - arXiv:1312.6199. [On-line]. Available: https://arxiv.org/abs/1312.6199 [Jul. 24, 2019].
D.A. Wagner and P. Soto. "Mimicry attacks on host-based intrusion detection systems," in Proc. CCS'02 - 9th ACM Conference on Computer and Communications Security, 2002, pp. 255-64.
D.E. Denning. "An Intrusion Detection Model." IEEE transactions on Software Engineering, vol. SE-13(No 2), pp. 222-32, Feb. 1987.
E. Hodo, X. Bellekens, A. Hamilton, C. Tachtatzis and R. Atkinson. (2017, Jan.). "Shallow and Deep Networks Intrusion Detection System: A Taxonomy and Survey." arXiv Preprint - arXiv:1701.02145. [On-line]. Available: https://arxiv.org/abs/1701.02145 [Jul. 24, 2019].
F. Farnia, J.M. Zhang and D. Tse. "Generalizable Adversarial Training via Spectral Normalization," in Proc. International Conference on Learning Representations (ICLR) 2019, 2019.
F. Liao, M. Liang, Y. Dong, T. Pang, X. Hu and J. Zhu. (2017, Dec.). "Defense against Adversarial Attacks Using High-Level Representation Guided Denoiser." arXiv Preprint - arXiv:1712.02976. [On-line]. Available: https://arxiv.org/abs/1712.0276 [Jul. 24, 2019].
F. Tramèr, N. Papernot, I. Goodfellow, D. Boneh and P. McDaniel. (2017, May.). "The Space of Transferable Adversarial Examples." arXiv Preprint - ArXiv, abs/1704.03453. [On- line]. Available: https://arxiv.org/abs/1704.03453 [Jul. 24, 2019].
F. Tramér, A. Kurakin, N. Papernot, I. Goodfellow, D. Boneh and P. McDaniel. (2017, May.). "Ensemble Adversarial Training: Attacks and Defenses." arXiv Preprint - arXiv:1705.07204. [On-line]. Available: https://arxiv.org/abs/1705.07204 [Jul. 24, 2019].
G. Katz, C. Barrett, D.L. Dill, K. Julian and M.J. Kochenderfer. "Reluplex: An Efficient SMT Solver for Verifying Deep Neural Networks," in Proc. CAV 2017 International Conference on Computer Aided Verification, 2017, pp. 97-117.
G.F. Cretu, A. Stavrou, M.E. Locasto, S.J. Stolfo and A.D. Keromytis. "Casting out Demons: Sanitizing Training Data for Anomaly Sensors," in Proc. SP '08 - 2008 IEEE Symposium on Security and Privacy, 2008, pp. 81-95.
H. Hindy, D. Brosset, E. Bayne, A. Seeam, C. Tachtatzis, R. Atkinson and X. Bellekens. (2018, Jun.). "A Taxonomy and Survey of Intrusion Detection System Design Techniques, Network Threats and Datasets." arXiv Preprint - arXiv:1806.03517. [On-line]. Available: https://arxiv.org/abs/1806.03517 [Jul. 24, 2019].
H. Hosseini, Y. Chen, S. Kannan, B. Zhang and R. Poovendran. (2017, Mar.). "Blocking Transferability of Adversarial Examples in Black-Box Learning Systems." arXiv Preprint - arXiv:1703.04318. [On-line]. Available: https://arxiv.org/abs/1703.04318 [Jul. 24, 2019].
H. Kim and B. Karp. "Autograph: Toward Automated, Distributed Worm Signature Detection," in Proc. 13th USENIX Security Symposium, 2004, pp. 271-86.
H. Kvarnström. "A survey of commercial tools for intrusion detection," in Technical Report 99-8. Göteborg: Chalmers University of Technology, Oct. 1999.
H. Zhang, X. Yu, P. Ren, C. Luo and G. Min. (2019, Jan.). "Deep Adversarial Learning in Intrusion Detection: A Data Augmentation Enhanced Framework." arXiv Preprint - ArXiv, abs/1901.07949. [On-line]. Available: https://arxiv.org/abs/1901.07949 [Jul. 24, 2019].
I.J. Goodfellow, J. Shlens and C. Szegedy. (2014, Dec.). "Explaining and Harnessing Adversarial Examples." arXiv Preprint - arXiv:1412.6572. [On-line]. Available: https://arxiv.org/abs/1412.6572 [Jul. 24, 2019].
J. Clements, Y. Yang, A. Sharma, H. Hu and Y. Lao. (2019, Mar.). "Rallying Adversarial Techniques against Deep Learning for Network Security." arXiv Preprint - arXiv:1903.11688. [On-line]. Available: https://arxiv.org/abs/1903.11688 [Jul. 24, 2019].
J. Kim, J. Kim, H.L.T. Thu and H. Kim. "Long Short Term Memory Recurrent Neural Network Classifier for Intrusion Detection," in Proc. 2016 International Conference on Platform Technology and Service (PlatCon), 2016, pp. 1-5.
J. Uesato, B. O'Donoghue, P. Kohli and A. van den Oord. (2018, Jun.). "Adversarial Risk and the Dangers of Evaluating Against Weak Attacks." arXiv Preprint - arXiv:1802.05666. [On-line]. Available: https://arxiv.org/abs/1802.05666 [Jul. 24, 2019].
J.P. Anderson. "Computer Security Threat Monitoring and Surveillance," in Technical Report: James P. Anderson Company. Fort Washington: James P. Anderson Company, 1980.
K. Tan, J. McHugh and K. Killourhy. "Hiding Intrusions: From the Abnormal to the Normal and Beyond," in Proc. IH 2002: Information Hiding, 2002, pp. 1-17.
K.M.C. Tan, K.S. Killourhy and R.A. Maxion. "Undermining an Anomaly-Based Intrusion Detection System Using Common Exploits," in Proc. RAID'02 - 5th international conference on Recent Advances in Intrusion Detection, 2002, pp. 54-73.
L. Dhanabal and S.P. Shantharajah. "A Study on NSL-KDD Dataset for Intrusion Detection System Based on Classification Algorithms." International Journal of Advanced Research in Computer and Communication Engineering, vol. 4(6), pp. 442-56, Jun. 2015.
L. Kleinrock. "Information Flow in Large Communication Nets." Proposal for Ph.D. Thesis. Cambridge: Massachusetts Institute of Technology, May. 1961.
L.O. Anyanwu, J. Keengwe and G.A. Arome. "Scalable Intrusion Detection with Recurrent Neural Networks," in Proc. 7th International Conference on Information Technology: New Generations, 2010, pp. 919-23.
M. Berninger and A. Sopan. "Reverse Engineering the Analyst: Building Machine Learning Models for the SOC." Internet: https://www.fireeye.com/blog/threat-research/2018/06/build- machine-learning-models-for-the-soc.html, Jun. 05, 2018 [Jul. 24, 2019].
M. Chung, N.J. Puketza, R.A. Olsson and B. Mukherjee. "Simulating Concurrent Intrusions for Testing Intrusion Detection Systems: Parallelizing Intrusions," in Proc. 18th National Information Systems Security Conference, 1995, pp. 173-83.
M. Handley, V. Paxson and C. Kreibich. "Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics," in Proc. 10th USENIX Security Symposium, 2001.
M. Kloft and P. Laskov. "Online Anomaly Detection under Adversarial Impact," in Proc. 13th International Conference on Artificial Intelligence and Statistics (AISTATS): PMLR 9, 2010, 405-12.
M. Rigaki and A. Elragal. "Adversarial Deep Learning Against Intrusion Detection Classifiers," in Proc. ST-152 Workshop on Intelligent Autonomous Agents for Cyber Defence and Resilience, 2017.
M. Rigaki and S. Garcia. "Bringing a GAN to a Knife-Fight: Adapting Malware Communication to Avoid Detection," in Proc. 2018 IEEE Security and Privacy Workshops (SPW), 2018, pp. 70-5.
M. Roesch. "Snort: Lightweight Intrusion Detection for Networks," in Proc. LISA'99 - 13th USENIX conference on System administration, 2019, pp.229-38.
M.V. Mahoney and P.K. Chan. "An Analysis of the 1999 DARPA/Lincoln Laboratory Evaluation Data for Network Anomaly Detection," in Proc. RAID 2003: Recent Advances in Intrusion Detection, 2003, pp. 220-37.
M.V. Mahoney and P.K. Chan. "Learning nonstationary models of normal network traffic for detecting novel attacks," in Proc. KDD'02 - 8th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, 2002, pp. 376-85.
N. Akhtar and A. Mian. (2018, Feb.). "Threat of Adversarial Attacks on Deep Learning in Computer Vision: A Survey." IEEE Access. [On-line] 6, pp. 14410-30. Available: https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=8294186 [Jul. 24, 2019].
N. Akhtar, J. Liu and A. Mian. "Defense against Universal Adversarial Perturbations," in Proc. 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2018, pp. 3389-98.
N. Carlini and D. Wagner. "Towards Evaluating the Robustness of Neural Networks," in Proc. 2017 IEEE Symposium on Security and Privacy, 2017, pp. 39-57.
N. Papernot, P. McDaniel, X. Wu, S. Jha and A. Swami. (2015, Nov.). "Distillation as a Defense to Adversarial Perturbations against Deep Neural Networks." arXiv Preprint - arXiv:1511.04508. [On-line]. Available: https://arxiv.org/abs/1511.04508 [Jul. 24, 2019].
N. Papernot, P.D. McDaniel, S. Jha, M. Fredrikson, Z.B. Celik and A. Swami. "The Limitations of Deep Learning in Adversarial Settings," in Proc. 2016 IEEE European Symposium on Security and Privacy (EuroS&P), 2016, pp. 372-87.
O.M. Kolesnikov and W. Lee. "Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic." Internet: https://pdfs.semanticscholar.org/97d3/5f789529081a40131b1171a0bb6d6d069b9a.pdf?_g a=2.256374220.655035103.1568508389-933039622.1562710349, 2005.
P. Akritidis, E.P. Markatos, M. Polychronakis and K. Anagnostakis. "STRIDE: Polymorphic Sled Detection through Instruction Sequence Analysis," in Proc. SEC 2005: Security and Privacy in the Age of Ubiquitous Computing, 2005, pp. 375-91.
P. Chen, H. Zhang, Y. Sharma, J. Yi and C. Hsieh. "ZOO: Zeroth Order Optimization Based Black-box Attacks to Deep Neural Networks without Training Substitute Models," in Proc. AISec'17 - 10th ACM Workshop on Artificial Intelligence and Security, 2017, pp. 15-26.
P. Chen, Y. Sharma, H. Zhang, J. Yi and C. Hsieh. "EAD: Elastic-Net Attacks to Deep Neural Networks via Adversarial Examples," in Proc. AAAI-18 - 32nd AAAI Conference on Artificial Intelligence, 2017, pp. 10-7.
P. Fogla and W. Lee. "Evading network anomaly detection systems: formal reasoning and practical techniques," in Proc. CCS'06 - 13th ACM Conference on Computer and Communications Security, 2006, pp. 59-68.
P. Fogla, M. Sharif, R. Perdisci, O. Kolesnikov and W. Lee. "Polymorphic Blending Attacks," in Proc. USENIX-SS'06 - 15th conference on USENIX Security Symposium, 2006.
P. Innella. "The Evolution of Intrusion Detection Systems." Internet: https://www.symantec.com/connect/articles/evolution-intrusion-detection-systems, Nov. 16, 2001 [Jul. 24, 2019].
P. Panda and K. Roy. (2019, May.). "Implicit Generative Modeling of Random Noise during Training improves Adversarial Robustness," arXiv Preprint - arXiv:1807.02188. [On-line]. Available: https://arxiv.org/abs/1807.02188 [Jul. 24, 2019].
P.R.K. Varma, V.V. Kumari and S.S. Kumar. "A Survey of Feature Selection Techniques in Intrusion Detection System: A Soft Computing Perspective," in Progress in Computing, Analytics and Networking. P.K. Pattnaik, S.S. Rautaray, H. Das and J. Nayak, Eds. Singapore: Springer, 2018, pp. 785-93.
R. Ronen. "Machine Learning in Azure Security Center." Internet: https://azure.microsoft.com/en-us/blog/machine-learning-in-azure-security-center/, Jan. 28, 2016 [Jul. 24, 2019].
R. Sommer and V. Paxson. "Outside the Closed World: On Using Machine Learning For Network Intrusion Detection," in Proc. 2010 IEEE Symposium on Security and Privacy, 2010, pp. 305-16.
S. Moosavi-Dezfooli, A. Fawzi and P. Frossard. "DeepFool: a simple and accurate method to fool deep neural networks," in Proc. 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR), 2015, pp. 2574-82.
S. Serneels and T. Verdonck. "Principal component analysis for data containing outliers and missing elements." Computational Statistics & Data Analysis, vol. 52(3), pp. 1712-27, 2008.
S. Smaha. "Computer Misuse and Anomaly Detection." Internet: http://seclab.cs.ucdavis.edu/projects/cmad/4-1996/pdfs/Smaha.pdf, Nov. 1996 [Jul. 24, 2019].
S. Truex, L. Liu, M.E. Gursoy, L. Yu and W. Wei. (2019, Feb.). "Demystifying Membership Inference Attacks in Machine Learning as a Service." IEEE Transactions on Services Computing. [On-line] Available: https://ieeexplore.ieee.org/document/8634878 [Jul. 24, 2019].
S.J. Stolfo and K. Wang. "Network Payload-based Anomaly Detection and Content-based Alert Correlation." Doctoral Dissertation. New York: Columbia University, 2007.
S.P. Chung and A.K. Mok. "Allergy Attack Against Automatic Signature Generation," in Proc. RAID 2006: Recent Advances in Intrusion Detection, 2006, pp. 61-80.
T. Hamed, J.B. Ernst and S.C. Kremer. "A Survey and Taxonomy of Classifiers of Intrusion Detection Systems," in Computer and Network Security Essentials. K. Daimi, Ed. Cham: Springer, 2018, pp. 21-39.
T. Na, J.H. Ko and S. Mukhopadhyay. "Cascade Adversarial Machine Learning Regularized with a Unified Embedding," in Proc. International Conference on Learning Representations (ICLR) 2018, 2018.
T. Toth and C. Krüegel. "Accurate Buffer Overflow Detection via Abstract Payload Execution," in Proc. RAID'02 - 5th international conference on Recent advances in intrusion detection, 2002, pp. 274- 91.
T.H. Ptacek and T.N. Newsham. "Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection." Internet: https://pdfs.semanticscholar.org/fa48/7f1a3e173a8178502eae14a9f9b431eaf62a.pdf?_ga= 2.252024270.655035103.1568508389-933039622.1562710349, Jan. 1998 [Jul. 24, 2019].
T.N. Nguyen. (2018, Apr.). "The Challenges in SDN/ML Based Network Security : A Survey." arXiv Preprint - arXiv:1804.03539. [On-line]. Available: https://arxiv.org/abs/1804.03539 [Jul. 24, 2019].
V. Paxson. "Bro: A System for Detecting Network Intruders in Real-Time." Computer Networks, vol. 31(23-4), pp. 2435-63, Dec. 1999.
W. Brendel, J. Rauber and M. Bethge. "Decision-Based Adversarial Attacks: Reliable Attacks Against Black-Box Machine Learning Models," in Proc. 6th International Conference on Learning Representations (ICLR 2018), 2018.
W. Lee and S.J. Stolfo. "A framework for constructing features and models for intrusion detection systems." ACM Transactions on Information and System Security (TISSEC), vol. 3(4), pp. 227-61, Nov. 2000.
Z. Rustam and N. Olivera. "Comparison of fuzzy robust Kernel C-Means and support vector machines for intrusion detection systems using modified kernel nearest neighbor feature selection," in Proc. 3rd International Symposium on Current Progress in Mathematics and Sciences (ISCPMS 2017), 2017.
Z. Wang. (2018, Jul.). "Deep Learning-Based Intrusion Detection With Adversaries." IEEE Access. [On-line] 6, pp. 38367-84. Available: https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=8408779&isnumber=8274985 [Jul. 24, 2019].
Mr. Ilja Moisejevs
Calypso AI - United Kingdom

View all special issues >>